Server 2003 Active Directory Infrastructure1. Gary is a network administrator for a medical supply company whose Active Directory network includes one domain and three sites. There are several departments, each with its own OU. The Pharmaceutical department has requested that Horst create a virtual private network (VPN) connection to an external pharmaceutical research firm. This connection is to be available to only members of the Research global security group. What should Gary do to ensure that only members of this group can access the VPN connection? A. Create a new GPO and link it to the Pharmaceutical OU. For this GPO, enable the "Remove Network Connections from Start Menu" policy. For the Research group, disable the Read and Apply Group Policy permissions for this GPO. B. Create a new GPO and link it to the Pharmaceutical OU. For this GPO, disable the "Remove Network Connections from Start Menu" policy. For the Research group, enable the Read and Apply Group Policy permissions for this GPO. C. Create a new GPO and link it to the domain. For this GPO, enable the "Remove Network Connections from Start Menu" policy. Create a second GPO and link it to the Pharmaceutical OU. For this GPO, disable the same policy. For the Research group, enable the Read and Apply Group Policy permissions for the second GPO. D. Create a new GPO and link it to the domain. For this GPO, enable the "Remove Network Connections from Start Menu" policy. For the Research group, deny the Read and Apply Group Policy permissions for this GPO.
2. A user named Natasha in your company has been promoted to Assistant Supervisor in the Marketing department. As well as a promotion, this is a transfer from the Financial department, and involves several changes in group membership. Each department in your company has its own OU in Active Directory, and there are several domain- and OU-based GPOs in effect. You need to ensure that she will receive proper Group Policy settings once she is in her new position. Which of the following changes can you simulate in Resultant Set of Policy (RSoP) planning mode? (Choose all that apply) A. The computer she will be accessing the domain from. B. The Active Directory site she will be accessing the domain from. C. Her membership in universal groups. D. Her use of a smart card to log on in the new department. E. Use of Windows Management Instrumentation (WMI) filters.
3. Amanda is the network administrator for her company, which operates a single domain Active Directory network. The domain includes OUs named Design, Sales, Management, and Financial. Amanda has delegated complete administrative control over each OU to a junior administrator located in that respective OU. Amanda has configured the Default Domain Policy GPO with several desktop restrictions and security settings that management wants to be applied to all users in the domain regardless of which OU they are located in. However, she finds that users located in the Financial OU are receiving different settings than those specified in the Default Domain Policy GPO. She suspects that a GPO named FinancialPolicy created by the junior administrator in charge of this OU is causing the problem. What should Amanda do to ensure that all settings in the Default Domain Policy GPO apply to the Financial users? A. Specify Block Policy Inheritance at the domain level. B. Specify Block Policy Inheritance at the Financial OU level. C. Configure the link to the Default Domain Policy GPO with No Override. D. Configure the link to the FinancialPolicy GPO with No Override. E. Enable loopback processing mode for the Default Domain Policy GPO. F. Enable loopback processing mode for the FinancialPolicy GPO.
4. John is the network administrator for a wholesale distributor that has experienced large growth in the past two years. He has become aware that a user named Norma has taken several advanced computer courses and acquired basic knowledge of the workings of Active Directory. After talking with his supervisor and interviewing Norma, John has decided to provide Norma with the ability to create and manage user accounts in the Accounting OU. Which of the following tasks should John do to provide Norma with this ability, without granting her excessive control? Each answer represents a complete solution to the problem. (Choose all that apply) A. Grant Norma's account the appropriate permissions in Active Directory. B. Grant the Accounting OU the appropriate permissions in Active Directory. C. Add Norma's account to the Account Operators group. D. Use the Delegation of Control Wizard.
5. Your company, which operates an Active Directory forest named widgets.com, has just bought out a competitor that operates an Active Directory forest named gadgets.com. Management has asked you to provide access to all domains in both forests for users in the widgets.com forest. Each forest contains an empty forest root domain plus three child domains. Users in the gadgets.com forest should not have access to domains in the widgets.com forest. What type of trust relationship should you establish? A. An external trust in which the widgets.com forest trusts the gadgets.com forest. B. An external trust in which the gadgets.com forest trusts the widgets.com forest. C. A forest trust in which the widgets.com forest trusts the gadgets.com forest. D. A forest trust in which the gadgets.com forest trusts the widgets.com forest.
6. While you were attending a planning meeting that was discussing future upgrades to your company's computing infrastructure, the help desk started to receive numerous calls from users unable to log on. A help desk technician named Carm decided to seize the PDC emulator role on another domain controller. After the meeting, you learn what Carm had done. Upon checking the previous PDC emulator, you discovered that its network cable had been accidentally disconnected. What should you do to restore this computer to proper functionality? A. Reconnect it and transfer the PDC emulator role back to it. B. Reconnect it and seize the PDC emulator role back to it. C. Restore this computer's System State, then reconnect it and transfer the PDC emulator role back to it. D. Reformat this computer's hard disk, reinstall Windows Server 2003 and Active Directory, and then transfer the PDC emulator role back to it.
7. Dorothy is the head administrator of a large financial company with the head office in Washington and branch offices in most major North American cities. Every branch office is configured as its own site in Active Directory. All sites are connected in a partial mesh topology using T1 lines. The servers in use for the domain controllers varies from 500 MHz processors and 256 MB RAM to 2.6 GHz and 2 GB RAM. Assistant administrators at various sites have reported to Dorothy that replication is slow from time to time. Dorothy has been investigating these problems in Active Directory Sites and Services and has noted that replication often takes place from lower-powered servers. What should Dorothy do to make sure that the highest-powered servers undertake the intersite replication tasks? A. Tell the ISTG to use the highest-powered servers at sites where slow replication has been reported. B. Tell the KCC to use the highest-powered servers at sites where slow replication has been reported. C. Create additional site links between sites where slow replication has been reported. D. Create an extra site link bridge between sites where slow replication has been reported. E. Add an additional global catalog server at sites where slow replication has been reported.
8. You are the domain administrator for a large company that operates an Active Directory forest with five domains contained within two trees. You are creating a large number of user accounts and realize that there are two users with identical names but in different domains. You remember that that certain names must be unique across the entire forest and others must be unique in the domain in which they are located, but need to know for sure which must be unique in the forest. Which of the following names must be unique across the entire forest? (Choose all that apply) A. LDAP Distinguished Name B. Relative Distinguished Name C. Globally Unique Identifier (GUID) D. Pre-Windows 2000 user logon name E. User Principal Name (UPN)
9. Jim is a systems administrator for a small, but growing, insurance agency. Up to now, the agency has run a workgroup that contains a Windows 2000 stand-alone server that is used as a file and print server. Various users have computers that are running either Windows 98 or Windows 2000 Professional. Fred has been reading the benefits of Active Directory security and started to think about the incident last year when a portion of the agency's client database was compromised by an outside hacker. As the company is starting to outgrow the limitations of a workgroup and management is convinced that using Windows Server 2003 with Active Directory will be beneficial, they have given Fred the go-ahead to install a domain controller. However, the stand-alone server is highly used and will not suppor t the additional demands of being a Windows Server 2003 domain controller. The only suitable computer that he has available has been running Windows 98 but has 128 MB RAM, an 800 MHz processor, and a 20 GB hard disk. Jim installs Windows Server 2003 on this computer and then removes the Windows 98 installation. He then runs dcpromo.exe to promote the server to a domain controller. However, the installation fails. Which of the following is the most likely reason for the failure of the domain controller installation? A. The computer does not have sufficient RAM. B. The computer requires a second hard disk. C. The computer does not have a partition formatted with NTFS. D. DNS is not installed on the server.
10. Wendy is a consultant who is planning to upgrade a large company's Windows NT 4.0 network infrastructure to Windows Server 2003. The company has it head office in Atlanta and branch offices located in San Jose, Houston, and Montreal. Currently, the company is operating four domains, each one representing one of the cities where the offices are located. For security purposes, senior management of the company want the four domain structure retained, and Wendy has proposed that the Atlanta office be configured as a root domain in the forest and the other three offices as child domains within the same tree. She realizes that when she installs the first Windows Server 2003 domain controller in the forest, it will assume all five operations master roles as well as the role of global catalog Server, but that she will have to move some of these roles once she has upgraded all Windows NT 4.0 domain controllers to Windows Server 2003. Which of the following are true about the preferred location of operations masters within the network? (Choose all that apply) A. The infrastructure master should generally be placed on the same server that is acting as the global catalog server. B. The infrastructure master should never be placed on the same server that is acting as the global catalog server. C. The schema master should generally be placed on the same server that is acting as the domain naming master. D. The schema master should never be placed on the same server that is acting as the domain naming master. E. The RID master should generally be placed on the same server that is acting as the PDC emulator. F. The RID master should never be placed on the same server that is acting as the PDC emulator.
11. Bertha is the administrator for a clothing outfitter that has offices in Denver, Boise, and Anchorage. The Denver and Boise offices are connected with a dedicated ISDN link; the Anchorage office is connected to the Boise office with a pay-per-use 56k link. She has created the appropriate sites in Active Directory Sites and Services, and moved all Active Directory objects to the appropriate sites. After reviewing the latest bill for the 56k link, the CIO has asked her to change the replication interval on the 56k link to once daily during the night. The replication interval on the ISDN link is not to be changed. Which of the following should Bertha do? Each answer represents part of the solution. (Choose all that apply) A. Create a site link bridge between Denver and Anchorage. B. Create a new site link between Denver and Anchorage. C. Delete the Boise site and move its objects into the Denver site. D. Configure the site link between Denver and Anchorage to use SMTP-based replication. E. Increase the site link cost for the Denver to Anchorage site link to 200. F. Specify a 24-hour replication interval for the Denver to Anchorage site link.
12. Jason's company, which operates a single domain Active Directory network, has opened a new branch office with ten users in a neighboring city. He has configured a new site and added the appropriate subnet to this site. Users in the branch office are complaining of slow logon times even though the two sites are connected by a T1 network line. What should Jason do to correct this problem? A. Add a global catalog server to the branch office site. B. Add a DNS server to the branch office site. C. Add a domain controller to the branch office site. D. Upgrade the T1 line to T3.
13. You are the network administrator for the gadgets.com domain. One Monday morning on opening the Active Directory Users and Computers snap-in, you receive the following error message: "Naming information cannot be located because the specified domain either does not exist or cannot be contacted. Contact your system administrator to verify that your domain is properly configured and is currently online." On running the Dcdiag tool on the domain controller, you are informed that the W32Time service is stopped and that an error 1355 has occurred. You try to start the Windows Time service but it fails to start. Which of the following is the most likely reason for this error? A. The infrastructure master is offline. B. The PDC emulator is offline. C. The RID master is offline. D. The domain naming master is offline. E. The schema master is offline.
14. Phil is the systems administrator for a company called Noramtech. The company operates an Active Directory forest including a root domain called noramtech.com that is based from its Houston head office and two child domains: can.noramtech.com, which is based in Toronto, and mex.noramtech.com, which is based in Mexico City. Each domain is configured as its own site. Users in Mexico City have complained that logon times and the time required to locate resources in Houston or Toronto are very slow at times. Occasionally they are unable to log onto the network at all. What should Phil do to enable the Mexico City clients to receive faster access to resources and always log on to the network? A. Create a site link bridge between Houston and Mexico City. B. Enable universal group caching at the Mexico City domain controllers. C. Configure one of the Houston domain controllers as a global catalog server. D. Configure one of the Mexico City domain controllers as a global catalog server.
15. You are moving a Windows Server 2003 domain controller named DC7 from your company's main office to its research lab, which operates an OU named Research within your company's single domain network. There are six other domain controllers on the network, four of which run Windows Server 2003 and two of which run Windows 2000 Server. The research manager asks you to rename this domain controller to RESEARCH4, to keep consistency with the names of other Research servers. You attempt to rename the domain controller using the Netdom command but receive an error stating that the domain controller could not be renamed. What is the most likely reason for this problem? A. You have used the wrong command. You should have used the Dcdiag command instead. B. The infrastructure master is not available. C. The domain is not running at the Windows Server 2003 functional level. D. It is not possible to rename domain controllers. You have to demote the domain controller to member server, rename it, and then promote it back to domain controller.
16. You are the network administrator of an engineering company that employs about 20 designers that work with computer-aided design (CAD) systems. Programmers are working on an upgrade to the CAD applications and want to make use of Windows Server 2003 Active Directory features to improve the availability and fault tolerance of their data storage systems. Which of the following do you recommend to the developers? A. They should create a data store on a domain controller running Active Directory-integrated DNS, so that client queries can rapidly locate the required data. B. They should store their data in the configuration directory partition of Active Directory so that it is available from any domain controller. C. They should store their data in an application directory partition of Active Directory so that it is available from any domain controller. D. You need to create a server cluster using Windows Enterprise Server 2003 to fulfill their requests. This must wait until you get management approval for new hardware.
17. Chris is the network administrator for Great Western Outfitters, which operates and Active Directory domain with a head office in Calgary and stores in 40 cities across western Canada and United States. Most stores are connected by leased ISDN lines, but a few are connected only with dial-up 56k lines. Chris wants to configure Active Directory replication on the 56k lines to take place only once a night on the 56k lines, while replication over the ISDN lines is to take place once every six hours. Which of the following should Chris do to enable these replication schedules? A. Create additional site links between the stores connected with ISDN lines. B. Create additional site links between the stores connected with 56k lines. C. Create a site link bridge and include the links representing the 56k lines in this site link bridge. D. Delete the sites associated with stores connected by ISDN lines and include their objects in the same site as the head office.
18. Doug is the systems administrator of a company that operates an Active Directory forest that contains a parent domain called tech.com and two child domains named east.tech.com and west.tech.com. A user named Kristin in the east.tech.com domain has been promoted to supervisor of a work group that is headquartered within the west.tech.com domain. Doug needs to move her account from the east.tech.com domain to the west.tech.com domain so that she can access the proper resources required for her to do her new job. Which of the following tasks should Doug perform in order to move her account? A. Use the ADMT MMC snap-in tool. B. Use the Movetree command utility. C. Copy her user account from the east.tech.com domain to the west.tech.com domain. Then delete the old account from the east.tech.com domain. D. In Active Directory Users and Computers, right-click her account and select Move. Then enter the new domain name.
19. A new security policy at Sally's company dictates that the door to the server room be locked at all times except during physical inspection and maintenance of the servers. Sally wants to create an OU from her desktop computer running Windows XP Professional. How can she accomplish this task? A. Install the Windows Server 2003 Administrative Tools Package on the Windows XP Professional computer, and then use Active Directory Users and Computers to create the OU. B. Install the Windows Server 2003 Administrative Tools Package on the Windows XP Professional computer, and then use Active Directory Domains and Trusts to create the OU. C. Install Active Directory on the Windows XP Professional computer, and then use Active Directory Users and Computers to create the OU. D. Install Active Directory on the Windows XP Professional computer, and then use Active Directory Domains and Trusts to create the OU.
20. Barbara is a systems administrator for a single domain Windows 2003 network named corp.com. She has configured a medium security password policy for the domain that requires passwords to be at least 6 characters long. Passwords have a maximum age of 30 days, and the system remembers the 10 most recent passwords. Within the company's domain, there is an OU named Research that requires a higher level of security. For this OU, she decides to configure a GPO linked to the OU that required passwords be at least 10 characters in length and that they must meet the complexity requirements. She tests this policy by logging onto the network from a computer in the Research OU as a regular user with a password of Grapefruit2, and attempts to change the password to orange. Much to her surprise, this password is accepted. Which of the following explains why this password was accepted? A. The domain-based Group Policy was applied with the No Override setting. Consequently, the conflicting policy that was set at the OU level was not applied, and the policy that had been set at the domain level was the one that was actually applied. B. Group policies that affect account security such as password policies can be applied only at the domain level. If they are applied at the OU level, they are ignored, and consequently the domain-based policy was applied. C. Group policies that affect account security must be linked to security groups, and not domains or OUs. Because they were applied to the OU, they are ignored. D. Group policies are not refreshed until a user logs off and logs on again. Because she did not log off, the stronger password policy has not been applied.
21. Debbie's company is in the midst of setting up a system of smart cards for authentication of users to their Windows XP Professional client computers. The company has installed an enterprise root certificate authority (CA) on one of its Windows Server 2003 domain controllers. Management has asked her to configure a policy for autoenrollment of certificates for smart cards. Which of the following steps should she undertake? A. In the Certificate Templates snap-in, make a copy of the Enrollment Agent template. Grant the Authenticated Users group the Enroll and Autoenroll permissions on the copied template. Specify the "Prompt the user during enrollment" option to prompt the user to enter his PIN. In a GPO linked to the domain, specify the "Enroll certificates automatically" option, and then select "Renew expired certificates, update pending certificates, and remove revoked certificates" and "Update certificates that use certificate templates." B. In the Certificate Templates snap-in, grant the Authenticated Users group the Enroll and Autoenroll permissions on the Enrollment Agent template. Specify the "Prompt the user during enrollment" option to prompt the user to enter his PIN. In a GPO linked to the domain, specify the "Enroll certificates automatically" option, and then select "Renew expired certificates, update pending certificates, and remove revoked certificates" and "Update certificates that use certificate templates." C. In the Certification Authority snap-in, enable the Enrollment Agent and Smartcard Logon templates. In Active Directory Sites and Services, access the Services\Public Key Services\Certificate Templates node, and access the Properties dialog box for the Enrollment Agent certificate template. Specify the Enroll permission for the group that will be responsible for issuing certificates. For each user to be enrolled for a smart card certificate, run the New Certificate Wizard to create the appropriate certificate, and then use the Microsoft Certificate Services web page to request the smart card certificate. D. In the Certification Authority snap-in, enable the Enrollment Agent and Smartcard Logon templates. In Active Directory Sites and Services, access the Services\Public Key Services\Certificate Templates node, and access the Properties dialog box for the Enrollment Agent certificate template. Specify the Enroll permission for the group that will be responsible for issuing certificates. In a GPO linked to the domain, specify the "Enroll certificates automatically" option, and then select "Renew expired certificates, update pending certificates, and remove revoked certificates" and "Update certificates that use certificate templates."
22. You have been asked to specify uniform settings in Group Policy for password policies, restricted group memberships, and event log analysis on your company's network, which contains three domains in a single Windows Server 2003 forest. Client computers run a mix of Windows 98, Windows 2000 Professional, and Windows XP Professional. You decide to use security templates to simplify the means of creating these in a uniform manner. To accomplish this task, you add the Security Configuration and Analysis and Security Templates snap-ins to a new MMC console, and save this console to the Administrative Tools folder. What series of steps should you perform next? A. Select the Hisecdc template and make any required modifications. Access the Default Domain Policy GPO for the forest root domain and navigate to the Computer Settings\Windows Settings\Security Settings node. Import the security template settings to this node. B. Select the Hisecdc template and make any required modifications. Access the Default Domain Policy GPO for each domain of the forest in turn, and navigate to the Computer Settings\Windows Settings\Security Settings node. Import the security template settings to this node in each required GPO. C. Select the Securedc template and make any required modifications. Access the Default Domain Policy GPO for each domain of the forest in turn, and navigate to the Computer Settings\Windows Settings\Security Settings node. Import the security template settings to this node in each required GPO. D. Select the Securedc template and make any required modifications. Access the Default Domain Policy GPO for the forest root domain and navigate to the Computer Settings\Windows Settings\Security Settings node. Import the security template settings to this node.
23. Your company has just opened a new office and hired 50 new employees including Joe, who is a newly graduated MCSA. Having created a new OU named Office5, you proceed to use the Delegation of Control Wizard to delegate administrative control of this OU to Joe, so that he can manage user and group accounts, reset passwords, and modify group memberships. The next day, Joe is unable to reset a password, even though he was able to do so for other users. Joe calls and asks you to correct this problem. You are able to reset the password, and you then check into his problem. Which of the following should you check first? A. The permissions on Joe's account B. The permissions on the Users group C. The permissions on the Office5 OU D. GPOs linked to the Office5 OU
24. Your company operates a Windows Server 2003 forest that contains an empty root domain and two child domains named east.acme.com and west.acme.com. Both domains contain several OUs including Finance, Management, and Distribution. The CIO has asked you to move a member server named SRV3 from the Finance OU in east.acme.com to the Distribution OU in west.acme.com. How can you accomplish this task most easily? A. Right-click the server in Active Directory Users and Computers and choose Move. Then specify the new location of the server object. B. Use the Dsmov utility at the infrastructure master to move the server from its current location to the required location. C. Use the Dsmov utility at the RID master to move the server from its current location to the required location. D. Use the Movetree utility at the infrastructure master to move the server from its current location to the required location. E. Use the Movetree utility at the RID master to move the server from its current location to the required location.
25. Ruth is the head administrator for a large accounting company that has offices in ten major cities across the United States plus two in Canada. The company operates an Active Directory forest consisting of an empty root domain plus three child domains representing business divisions in the East, West, and Canada. Upon request from the CEO, she has created a separate single-domain forest for the company's legal operations, plus a forest trust relationship between the two forests. Now she needs to enable access for a series of users in all child domains to the Legal forest. She needs to plan a group nesting strategy that will facilitate the granting of access to those who need it. Which of the following should Ruth do? A. Add the users in each child domain to a domain local group in that domain. Then add these groups to a universal group, and add the universal group to a domain local group in the Legal domain. B. Add the users in each child domain to a universal group. Then add the universal group to a domain local group in the Legal domain. C. Add the users in each child domain to a global group in that domain. Then add these groups to a global group in the Legal domain. Finally add the global group in the Legal domain to a domain local group in the same domain. D. Add the users in each child domain to a global group in that domain. Then add these groups to a universal group, and add the universal group to a domain local group in the Legal domain.
26. Emily is the domain administrator for a company that is planning an upgrade of their Windows NT 4.0 domain to Windows Server 2003. She realizes that she can delegate control of portions of the domain to sub-administrators by creating a system of OUs. She also realizes that the system of OUs will help her deploy Group Policy, and she is in the midst of deciding how to plan the company's OU structure. Among which of the following ways could she design the company's OU structure? (Choose all that apply) A. According to physical locations B. According to departmental structure C. According to legal and security needs D. According to roles of objects contained therein
27. Paul is the head network administrator for Midwest Electrical, a company that produces everything that electricians or home handymen may need from light sockets to 1000-volt transformers. The company operates several manufacturing divisions in different cities as well as management and sales offices located in several states. The company is in the midst of planning an upgrade of their Windows NT 4.0 domain to Windows Server 2003, and Paul has been discussing the required components of Active Directory with managers in the various offices. Managers want support staff in the different divisions and offices to have administrative control over components of Active directory for their own divisions only. How should Paul organize Active Directory to enable the delegation of administrative control as requested by management? A. Create separate OUs for each division and office. B. Create separate sites for each division and office. C. Create separate child domains for each division and office. D. Install additional domain controllers at each division and office.
28. You have set up a smart card enrollment station on a Windows Server 2003 member server that is configured as a enterprise subordinate certification authority (CA) in your company's Windows Server 2003 domain. A user named Jason attempts to enroll for a smart card logon certificate but is denied access. Which of the following most likely explains why he was unable to enroll for a smart card certificate? A. Jason's user account properties do not specify the requirement for smart card logon. B. Jason's user account does not belong to the Domain Admins group. C. Jason does not have the proper permission to the Active Directory certificate template file in Active Directory. D. Active Directory has not replicated the certificate template file.
29. Rachel's company is upgrading the standard office application suite from Microsoft Office 2000 to Microsoft Office 2003. Management has asked her to create a software upgrade package that allows users to continue using Office 2000 for up to 60 days, after which they will be forced to upgrade to Office 2003. What should Rachel do to accomplish this task? Each answer represents part of the solution. (Choose all that apply) A. Create an upgrade package that makes Office 2003 an optional upgrade with a 60-day conversion period. B. Create an upgrade package that makes Office 2003 a required upgrade. C. Create an upgrade package that makes Office 2003 an optional upgrade. D. After 60 days, delete the upgrade package and create a new upgrade package that makes Office 2003 a required upgrade. E. After 60 days, change the upgrade type from optional to required. F. After 60 days, change the upgrade type from required to optional
30. You are investigating a complaint from a user named Christa that she does not have access to the Run command on her desktop computer running Windows XP Professional. Which two of the following tools can help you to determine what group policies are being applied to her computer and may be causing the unwanted situation? (Choose all that apply) A. Resultant Set of Policy (RSoP) in planning mode B. Resultant Set of Policy (RSoP) in logging mode C. GPUPDATE D. GPOTOOL E. GPRESULT
31. You are a domain administrator and you have been tasked with reviewing the Domain Controllers Baseline Policy (Domain Controller.inf) to verify some of the settings that are enabled when the template is in use. Under this template, which of the following default users/groups can log on locally if none of the defaults have been changed? (Choose all that apply) A. Administrators B. Domain Users C. Remote Desktop Users D. Account Operators E. Print Operators F. Windows Authorization Access Group
32. Simon is a systems administrator for a company that operates a Windows Server 2003 network that consists of a single domain. Recently, a hacker accessed the network from a user's account by guessing the user name and then using a password sniffer to crack the password. As a result, Simon has implemented a password policy in the Default Domain Policy GPO that requires passwords of at least nine characters in length and that the passwords meet the complexity requirements. One of his colleagues whose account is located in the Sales OU reports to him that she can still log onto the network successfully using her old password, which contained only seven characters, all lowercase alphabetic. Which of the following should Simon do first to ensure that the password policy is properly enforced? A. Look for conflicting policies on GPOs that are linked to the Sales OU. B. Require all users to change their passwords. C. Use RSoP in logging mode to check what policies are being enforced and in which order. D. Manually force Active Directory replication to take place.
33. Laura is a systems administrator for White's Cameras, which operates a single Active Directory domain and a series of sites that represent stores located throughout Southern California. All stores are connected to the head office in San Diego by 56 Kbps leased lines. The stores must be in contact with head office across the leased line to maintain accounting and inventory databases in a properly up-to-date fashion. All users in the stores have user accounts in the domain, but most stores do not have domain controllers located there, generally only a single member server and one or two workstations. As store business has increased in the last few months, employees at the stores have started to complain about slow logon response during store opening time. What actions should Laura take first to improve logon response? A. Install a domain controller at every site. B. Install a global catalog server at every site. C. Employ universal group caching. D. Configure Active Directory replication to take place only during the night.
34. You are the domain administrator for a company that operates a single-domain Active Directory network with 2000 users and numerous OUs. Following a recent corporate reorganization, you asked a junior administrator named Sharon to clean up some old accounts that were no longer required. However, Sharon deleted an OU that was still in use and contained over fifty active user accounts, some of which had specialized permissions associated with them. You need to get the OU and its associated user accounts back as rapidly as possible to ensure minimal work disruption. What should you do? Each answer represents part of the solution. (Choose all that apply) A. Recreate the deleted OU using Active Directory Users and Computers before restoring the user accounts. B. Start the domain controller in Directory Services Restore Mode before restoring the user accounts. C. Restore the ntds.dit file and the SYSVOL folder from the most recent backup. D. Restore the domain controller's System State from the most recent backup. E. Use the ntdsutil tool to increment the USNs of the restored objects. F. Use the repadmin tool to force replication of the restored data to all other domain controllers.
35. Evan is the domain administrator for a company named Helpful Hardware, Inc. This company operates an Active Directory forest containing a root domain plus two child domains. They have just signed a working agreement with a small company named Screwdrivers Unlimited, which operates a single domain Active Directory network. To facilitate exchange of information, Evan has configured a forest trust relationship between the Active Directory forests, using all the defaults suggested by the New Trust Wizard. Managers at Screwdrivers Unlimited want to ensure that users from Helpful Hardware can access only the appropriate resources on a server named Server3 and do not have access to other portions of their network. What should Evan do to accomplish this task? A. Ask the administrators at Screwdrivers Unlimited to add Server3 as a global catalog server in the Helpful Hardware forest. B. Ask the administrators at Screwdrivers Unlimited to configure Server3 as a member server in the root domain of the Helpful Hardware forest. Then remove the trust relationship between the two forests. C. Change the authentication scope of the trust relationship between the two forests. D. Replace the forest trust relationship with an external trust relationship.
36. You are the domain administrator for a company that operates the corp.com domain. A new employee at a branch office has complained that she cannot log on using her new user account that you created last week. You suspect that updates to Active Directory have not replicated properly over the link to the branch office. Which of the following commands should you use to monitor Active Directory replication to the domain controller named BranchDC located at the branch office? (Choose all that apply) A. Netdom B. Repadmin C. Replmon D. Dcdiag
37. Priscilla is the domain administrator for her company whose single-domain Windows Server 2003 network is called corp.com. Servers on the network include two Windows Server 2003 domain controllers, two Windows 2000 domain controllers, three Windows 2000 member servers, and one Windows NT 4.0 member server. Client computers include 120 Windows XP Professional computers, 75 Windows 2000 Professional computers, and 30 Windows NT 4.0 Workstation computers. One morning the help desk received four phone calls from users on the Windows NT 4.0 Workstation computers. These users complained that they had to change their password, but when they attempted to do so, the attempt was rejected, and they were unable to log onto the domain. On investigating, Priscilla discovered that the hard disk on one of the Windows Server 2003 domain controllers had failed irreparably, and would need to be replaced. What is preventing them from changing their passwords, and what should Priscilla do to permit them to change their passwords before the failed computer was restored? A. The failed domain controller has the role of infrastructure master. Because this role is necessary for the users to change their passwords, she must transfer this role to one of the other two domain controllers. B. The failed domain controller has the role of PDC emulator. Because this role is necessary for the users to change their passwords, she must transfer this role to one of the other two domain controllers. C. The failed domain controller has the role of infrastructure master. Because this role is necessary for the users to change their passwords, she must seize this role at one of the other two domain controllers. D. The failed domain controller has the role of PDC emulator. Because this role is necessary for the users to change their passwords, she must seize this role at one of the other two domain controllers.
38. Melanie is the administrator of a single-domain Windows Server 2003 network that contains five domain controllers and ten member servers running either Windows 2000 Server or Windows Server 2003. The network contains 650 client computers, all of which run either Windows 2000 Professional or Windows XP Professional. The network is spread over several floors of two adjacent Chicago office towers. Recently, the help desk has been plagued with complaints that logons are taking longer than they used to and that access to file servers is often slow as well. Melanie suspects that replication is at least part of the problem, and she needs to make adjustments to improve logon times. Which of the following should she try first? A. Divide the network into two or more OUs. B. Divide the network into two or more domains. C. Divide the network into two or more sites. D. Promote several of the member servers to domain controllers.
39. Joyce is the network administrator of a company that is spread over two offices located in different parts of the Los Angeles metropolitan area. The offices are connected with leased T1 lines, and are configured in Active Directory Sites and Services as separate sites named LA and Burbank. The sites are connected with a site link that has a cost of 5. As the company expands, they purchase a third office, extend the T1 link to this office, and install a new site named Anaheim in Active Directory Sites and Services. She needs to link this new site to the existing sites. How should Joyce proceed? A. Add the Anaheim site to the existing site link. The cost will be the same between each connected site. B. Create a site link between Anaheim and Burbank, and set the cost of this link to 4. Create a site link bridge between Anaheim and LA. C. Create a site link between Anaheim and LA, and create a site link bridge between Anaheim and Burbank. Set the cost of the link between Anaheim and LA to 4, and the cost between South and East to 3. D. Create an SMTP link between Anaheim and LA, because it is asynchronous and will perform without configuring a schedule. This avoids multiple IP site links.
40. Shelley is a consultant who is setting up Active Directory for her client. After having installed three domain controllers in the forest root domain, she remembers that the client has asked her to add additional objects and attributes to the schema. She remembers she needs to install the Active Directory schema snap-in to an empty MMC console, but when she accesses the Add Standalone Snap-in dialog box, she is unable to find the Active Directory schema snap-in. What does she need to do in order to find this snap-in? A. Add her account to the Schema Admins group. B. Register the Active Directory Schema snap-in. C. Copy the Active Directory Schema snap-in from the Tools folder of the Windows Server 2003 CD-ROM. D. Try again at the domain controller that holds the Schema Master role.
41. Bob is adding user accounts representing newly hired college graduates and summer students to his company's domain. After adding 38 new user accounts, he is unable to add any more. What is the most likely reason for his inability to add more user accounts? A. The infrastructure master is offline. B. The network connection to his computer has failed. C. The RID master is offline. D. The PDC emulator is offline.
42. Angela's company operates an Active Directory forest that consists of two trees, westco.com and eastco.com. Each of these trees contains six domains. Users in the sales.la.westco.com have been complaining that it takes excessive time to reach resources in the sales.ny.eastco.com domain. What should Angela to speed up access to frequently used resources located in a child domain of a second tree? A. Establish an external trust relationship between the sales.la.westco.com and sales.ny.eastco.com domains. B. Establish a shortcut trust relationship between the sales.la.westco.com and sales.ny.eastco.com domains. C. Configure at least one server in each domain as a global catalog server. D. Establish a site link between the sales.la.westco.com and sales.ny.eastco.com domains.
43. Brent is the network administrator for a company that operates a single domain Active Directory network. A user named Connie complains that she is unable to log onto the network from some computers that she normally uses in the course of her duties. He suspects that another administrator may have changed some of the properties of Connie's user account. All domain controllers have in place an account management audit policy. Brent would like to determine who changed her account properties and when these changes occurred. There are a large number of entries in the Event Viewer logs. Brent goes to a domain controller, opens the Event Viewer, and looks at the security log. He finds that there are a large number of entries related to various occurrences, and realizes that it will take a very long time to sort through these entries. He needs to sort the entries to locate any that relate to this problem. Which of the following should Brent do within Event Viewer to most efficiently locate the required entries? Each answer represents part of the solution. (Choose all that apply) A. Use the Find command in the View menu. B. Use the Filter command in the View menu. C. Use the Export List command in the Action menu. D. Specify Connie's name in the User text box. E. Specify Connie's name in the Description text box.
44. Fred is the domain administrator of an international shipping company that maintains a head office in New York and other offices in San Francisco, Paris, and Sydney, Australia. Each site has five to ten domain controllers and uses the default intrasite replication settings. Fred has configured the intersite replication to take place according to the following schedule: * Replication between New York and San Francisco takes place every evening, Monday to Friday, inclusive. * Replication between New York and Paris takes place on Saturday (morning, New York time, afternoon, London time). * Replication between San Francisco and Sydney takes place on Sunday (morning, San Francisco time, evening, Sydney time). * No direct replication is configured to take place between pairs of sites not mentioned above. One Monday morning, an administrator in Sydney added several new users. Which of the following best describes the rate at which these users will be replicated across the network? A. The change will be replicated among all domain controllers in Sydney within 15 minutes and will be replicated across the entire network within 1 week. B. The change will be replicated among all domain controllers in Sydney within 15 minutes and will be replicated across the entire network within 2 weeks. C. The change will be replicated among all domain controllers in Sydney within 5 minutes and will be replicated across the entire network within 1 week. D. The change will be replicated among all domain controllers in Sydney within 5 minutes and will be replicated across the entire network within 2 weeks.
45. Frank is a network administrator for a domain named fastaccounting.com. He is responsible for eight sites that represent branch offices in various California cities. Users at the San Diego site have complained that it takes more time to log onto the network than it used to. This site hosts two domain controllers, one of which is configured as a global catalog server, and the other as a DNS server. Which of the following tools should Frank use first to troubleshoot this problem? (Choose all that apply) A. Replmon B. NBTSTAT C. Event Viewer D. Network Monitor E. GPRESULT
46. Maggie and Julian are two systems administrators with DesignToGo, a computer-assisted design company with offices in St. Louis, Phoenix, and Calgary. The company operates an Active Directory network with a single domain called designtogo.com and three sites. The company has been experiencing considerable growth over the last few years, but recently experienced a slight downturn that resulted in curtailment of the operations of one department located in Phoenix. Working in Phoenix, Maggie deleted an OU pertaining to the curtailed department after having moved user accounts to other OUs representing the changed responsibilities of employees that had been in that department. At the same time in St. Louis, Julian moved the user account of an employee to the OU that Maggie had just deleted. He was able to do this because replication of the deletion had not occurred at that time. What happened to the user account that Julian moved into the deleted OU when replication took place between the two sites? A. The account was deleted from Active Directory along with the deleted OU. B. The user account was placed in the domain root. C. The deleted OU was recreated in Active Directory and propagated to all domain controllers. D. The user account was placed in the LostAndFound container.
47. You are the head administrator for a financial company that operates an Active Directory forest containing two domains. The child domain belongs to the Market Research department and they have complete control over this domain. An analyst named Maria administers this domain on a part-time basis and is responsible for backups and restores among other tasks. One morning, Maria calls you for assistance when she discovers that the hard disk on the lone domain controller in the child domain has failed and she needs to restore the data, which was backed up the evening before. What type of restore do you suggest that Maria undertake? A. Authoritative restore B. Nonauthoritative restore C. Normal restore D. Primary restore
48. Peter's company has just opened a branch office and Peter is in charge of creating a new Active Directory site for this office. He opens the Active Directory Sites and Services snap-in and accesses the New Object-Site dialog box. Other than the name of the site, what other piece of information does Peter need to supply to create the site? A. The name of a licensing server. B. The name of a domain controller that will be located in the new site. C. Information on one or more IP subnets to be contained within the new site. D. The site link object associated with the new site.
49. Sheila is the administrator of the corporate.com domain. She has created several Active Directory containers, as follows: * An OU named Marketing * An OU named Management * A child domain named research.corporate.com * An OU named Development, located in the research.corporate.com domain. In which of the following containers can Sheila create a Group Policy Object? (Choose all that apply) A. Management OU B. Computers C. Marketing OU D. Development OU E. The research.corporate.com domain F. Builtin
50. Kathy is a systems administrator working for a company that operates a single-domain Windows Server 2003 network. Recently, a large power outage caused the loss of data from several computers in the Engineering department where complex design work is being carried out. Users in this department have their accounts in the Engineering OU, but only design engineers belong to the Design domain local security group. The manager of this department wants to ensure that all data belonging to members of the Design group is stored on a server named ENGNGSVR where it can be properly backed up. Data belonging to other members of this department should be stored on a server named FILESVR. What should Kathy do to accomplish this task with the least amount of administrative effort? A. Configure a folder redirection policy in a GPO linked to the Engineering OU, specify the Basic option, and redirect all users' documents to the ENGNGSVR server. Filter this GPO so that it applies only to members of the Design domain local group. Configure a second folder redirection policy in a GPO linked to the domain, specify the Basic option, and redirect all users' documents to the FILESVR server. B. Configure two folder redirection policies in a GPO linked to the Engineering OU. In the first policy, specify the Basic option, redirect all users' documents to the ENGNGSVR server, and filter this policy so that it applies only to members of the Design domain local group. In the second policy, specify the Basic option and redirect all users' documents to the FILESVR server. C. Configure a folder redirection policy in a GPO linked to the Engineering OU, specify the Advanced option, and redirect the My Documents folder belonging to the Design domain local group to the ENGNGSVR server. Redirect the My Documents folder belonging to other users to the FILESVR server. D. Configure a folder redirection policy in a GPO linked to the domain, specify the Advanced option, and redirect the My Documents folder belonging to the Design domain local group to the ENGNGSVR server. Redirect the My Documents folder belonging to other users to the FILESVR server.
51. Judy is the systems administrator of a small company that operates an Active Directory network. She has been plagued with incidents of users installing unauthorized software that has resulted in lost productivity and help desk calls to clean up corrupted computers. When checking several of these computers, she realized that users were adding their domain accounts to the local Administrators group to grant them the capability to install software. What should Judy do to prevent the users from adding themselves to the local Administrators group? A. Specify an audit policy in a GPO linked to the domain that tracks account management events. B. Specify a software restriction policy in a GPO linked to the domain that specifies only approved software to be run. C. Specify a restricted groups policy in a GPO linked to the domain that restricts membership in the local Administrators groups. D. Specify a user rights assignment policy in a GPO linked to the domain that denies local administrators the right to install software.
52. At the time your company upgraded their Windows NT 4.0 domain to Windows Server 2003, you prepared a Windows Installer .msi package and a GPO for publishing an accounting package to all users on the network that needed to access it. More recently, the programmers who developed the package have produced an upgrade patch and provided it to the company in the form of a .msp file. What should you do to apply the patch and deploy it to the users? A. Modify the original package by using the .msp file and redeploy it. B. Transform the .msp file to a .mst file and use it in a new deployment package. C. Use Software Installation and Maintenance to publish the .msp file to the users who require it. D. Package the .msp file as a portion of a .zap file, and use it to modify the original package. Then redeploy the original package.
53. Jennifer is a systems administrator for a medium-sized company that runs a Windows Server 2003 single-domain network. All client computers in the company run either Windows 2000 Professional or Windows XP Professional, and all servers run either Windows 2000 Server or Windows Server 2003. There is an Accounting department whose members all belong to the Accounting OU and need to have Excel installed on their desktops. To make Excel available to all members of the Accounting OU, Jennifer decides to create a GPO linked to this OU. Within this GPO, she specifies \\server4\excel as the location of a Windows Installer .msi file that will be used to install and configure Excel on these users' desktops. However, the next morning when the users log onto their computers, Excel has not been added to their Start, Programs menu. Which of the following is the most likely reason for the failure of Excel to appear on the users' Programs menu? A. Jennifer has not given the Accounting users the proper permission to install applications. Because the applications install in the security context of the users that are currently logged on, if the user does not have the proper permission, the application will not appear in the Start menu. B. Jennifer attempted to deploy the application to an OU rather than to a group. She needs to deploy the application to a group because applications can be deployed only to individuals, computers, or groups. C. Jennifer published the application rather than assigning it. Published applications do not appear in the Start menu. However, they can still be installed from the Add/Remove Programs applet or by double-clicking a file containing an extension associated with the application. D. Jennifer specified a network location as the location of the Windows Installer package that will install the file on the users' computers. For the GPO to function properly, she must specify a local hard drive of the server where she configured the GPO as the location of the Windows Installer package.
54. Debbie is a network administrator for a catalog order warehouse. The company has put in place a more restrictive desktop policy for data entry clerks, and she has configured the required changes to the appropriate GPO. She now wants the GPO to take effect as soon as possible. Which of the following actions should Debbie take to make the GPO take effect immediately with the least amount of administrative effort? A. From the Computer Management snap-in, force the remote computers on which the policy is required to shut down and restart. B. Run the gpresult.exe tool on the server where she just reconfigured the GPO. At the Client computers tab, select the option labeled Refresh group Policy settings on all affected computers. C. Use the Secedit command to refresh the policy. D. Use the Gpupdate command to refresh the policy.
55. Mike is the senior network administrator of his company's single-domain Active Directory network. The company maintains a large call center, which is staffed with approximately 400 technical support staff, who are mostly entry-level technicians and move on to more senior positions elsewhere after a year or two. Consequently, there is a continuing large rate of staff turnover. Mike's manager wants to implement an improved level of security in the call center, whose user accounts are all maintained in an OU called Support. He decides that he needs an account lockout policy for the OU which locks out users after four unsuccessful logon attempts. Which of the following actions should Mike perform in order to implement this policy? A. Open the domain's Default Domain Policy and go to the Computer Configuration\Windows Settings\ Security Settings\Account Policies\Account Lockout Policy node. Configure the Account lockout threshold policy for four unsuccessful logon attempts. Configure appropriate values for the Account lockout duration and Reset account lockout counter after policies. B. Create a new GPO named Account Lockout and link it to the Support OU. Open this GPO and go to the Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy node. Configure the Account lockout threshold policy for four unsuccessful logon attempts. Configure appropriate values for the Account lockout duration and Reset account lockout counter after policies. C. Open the domain's Default Domain Controllers Policy and go to the Computer Configuration\ Windows Settings\Security Settings\Account Policies\Account Lockout Policy node. Configure the Account lockout threshold policy for four unsuccessful logon attempts. Configure appropriate values for the Account lockout duration and Reset account lockout counter after policies. D. Create a new GPO named Account Lockout and link it to the Support OU. Open this GPO and go to the User Configuration\ Windows Settings\Security Settings\Account Policies\Account Lockout Policy node. Configure the Account lockout threshold policy for four unsuccessful logon attempts. Configure appropriate values for the Account lockout duration and Reset account lockout counter after policies.
56. You are the domain administrator for an architectural company that operates a single domain Windows Server 2003 network. There are OUs corresponding to the Administrative, Design, and Financial departments of the organization. You have assigned the responsibility of administering the Design OU to a junior network administrator named Murray. He has configured a GPO named DesPolicy and linked it to this OU. This policy contains desktop settings that should be applied to members of the OU. When Murray logs on to the network using a test account in the Design OU to check the application of the GPO, he discovers that there are some settings that he has not specified as part of the DesPolicy GPO, and that he would prefer not to have applied to the Design OU. He meets with you to resolve this problem, and you realize that these policies are contained in another GPO that is linked to the domain. What should you do to prevent the settings for this policy from affecting the users in the Design OU A. Configure the domain for Block Policy Inheritance. B. Configure the Design OU for Block Policy Inheritance. C. Configure the GPO linked to the domain for No Override. D. Configure the GPO linked to the Design OU for No Override.
57. Alex is the network administrator for an engineering company that operates a single domain native mode Windows Server 2003 network. The company's offices occupy five contiguous floors of a midtown Manhattan office tower, and the network is configured with only the default site. Users in the Engineering division require specific drive mappings that enable them to connect to several proprietary client/server databases containing design specification and materials analysis data. The Engineering employees' user accounts are located in an OU named Engng and their computer accounts are located in an OU named EngngWork. Employees from other divisions of the business at times need to use the computers in the Engineering department, but should not have access to the databases. Also, the users in this department should be able to access the mappings only if they are logged onto a computer in their own department. Alex has written a script named Design.vbs that creates the mappings to the shares on two file servers that contain the required databases. What should Alex do to deploy the Design.vbs script to the Engineering employees with the least amount of administrative effort? A. Create a GPO that includes the Design.vbs script as a startup script, and link it to the Engng OU. B. Create a GPO that includes the Design.vbs script as a startup script, and link it to the EngngWork OU. C. Create a GPO that includes the Design.vbs script as a logon script, and link it to the EngngWork OU. D. Create a GPO that includes the Design.vbs script as a logon script, and link it to the Engng OU.
58. Vince's company is operating a Windows Server 2003 domain in Windows 2000 mixed functional level. The domain includes a Windows NT 4.0 backup domain controller (BDC) that is running Service Pack 6a, and cannot be upgraded because of special hardware that is not supported by newer versions of Windows. Client computers run either Windows 2000 Professional or Windows XP Professional. After a recent "man-in-the-middle" attack, management has asked him to configure a domain-based GPO that provides for digital signing of all network packets without impeding communications with the Windows NT 4.0 BDC. Which of the following Group Policy security options should Vince enable? (Choose all that apply) A. Domain member: Digitally encrypt or sign secure channel data (always) B. Domain member: Digitally encrypt secure channel data (when possible) C. Domain member: Digitally sign secure channel data (when possible) D. Microsoft network client: Digitally sign communications (always) E. Microsoft network client: Digitally sign communications (if server agrees) F. Microsoft network server: Digitally sign communications (always)
59. You are a domain administrator for a large engineering company that has made considerable use of the software distribution functions in Group Policy. Recently, you have received several complaints from users that they are having difficulty finding the appropriate applications in the Control Panel Add or Remove Programs applet because the list of available applications is very long. What should you do to assist users in locating the proper applications? A. Send users e-mail messages with a description of the available packages and their locations on the network. B. Create software categories for the published applications. C. Create software categories for the assigned applications. D. Consult with management to determine which users need which applications, and then create separate GPOs that publish the appropriate packages as required. E. Consult with management to determine which users need which applications, and then create separate GPOs that assign the appropriate packages as required.
60. Charles is a network administrator for a medium-sized engineering company that hires a large number of college students during the summer months. The company operates a single domain Windows Server 2003 network with two sites corresponding to its San Jose and Los Angeles offices. Among the students hired at these offices are several computer science students who are entering their senior year and have been given the responsibility of maintaining user and group accounts. One September morning, Charles needed to delete the user accounts of several students who had recently returned to college. However, he discovered that one of these accounts had already been deleted. Earlier in the summer, he had appropriately configured the network to audit all objects in Active Directory. He now wants to verify the proper deletion of the student's account, and find out who has deleted the account. What should Charles do to accomplish this task with the least amount of administrative effort? A. He should look for Directory Service Access events in each domain controller's Security log. B. He should look for Account Management events in each domain controller's Security log. C. He should look for Object Access events in each domain controller's Security log. D. He should look for Process Tracking events in each domain controller's Security log.
|